Skip to content

[caclmgrd] Translation of ACL Control Plane rules into iptables comma…#1738

Closed
denis-maslov wants to merge 1 commit intosonic-net:201803from
denis-maslov:acl_control_plane
Closed

[caclmgrd] Translation of ACL Control Plane rules into iptables comma…#1738
denis-maslov wants to merge 1 commit intosonic-net:201803from
denis-maslov:acl_control_plane

Conversation

@denis-maslov
Copy link
Copy Markdown

@denis-maslov denis-maslov commented May 23, 2018

- What I did
The problem
ACL control plane rules were not being translated into iptables rules
The config_db.json fragment with ACL configuration:

    "ACL_TABLE": {
        "TEST_ACL_TABLE": {
            "policy_desc": "Forward/Drop/Redirect Traffic",
            "type": "CTRLPLANE",
            "services": [
                "SNMP"
            ],
            "ports": [
                "Ethernet101",
                "Ethernet102",
                "Ethernet103",
                "Ethernet104"
            ]
        }
    }, 
    "ACL_RULE": {
        "TEST_ACL_TABLE|DROP_ON_ETH101": {
            "PRIORITY": "1011",
            "SRC_IP": "10.1.1.2/32",
            "DST_IP": "10.2.2.2/32",
            "ETHER_TYPE": "0x0800",
            "TCP_FLAGS": "0x30/0xFF",
            "IP_TYPE": "IP",
            "PACKET_ACTION": "DROP"
        }
    },

- How I did it
The causes

  1. There were no check if the ip protocol is "tcp" before adding --tcp-flags argument into iptables command
  2. It is necessary to set both mask and flags fields with --tcp-flags argument. But there were no parsing of the mask field from configuration db.

- How to verify it

  1. Add the fragment above into config_db.json and apply new configuration
  2. Check if ACL rules are created: 
    admin@sonic:~$ acl-loader show rule
Rule ID         Rule Name       Priority    Action    Match
--------------  --------------  ----------  --------  --------------------
TEST_ACL_TABLE  DROP_ON_ETH101  1011        DROP      DST_IP: 10.2.2.2/32
                                                      ETHER_TYPE: 0x0800
                                                      IP_TYPE: IP
                                                      SRC_IP: 10.1.1.2/32
                                                      TCP_FLAGS: 0x30/0xFF
admin@sonic:~$ acl-loader show table
Name            Type       Binding    Description
--------------  ---------  ---------  -----------------------------
TEST_ACL_TABLE  CTRLPLANE  SNMP       Forward/Drop/Redirect Traffic
  3. Check if ACL rules are translated into iptables 
    admin@sonic:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  10.1.1.2             anywhere             tcp dpt:snmp flags:FIN,SYN,RST,PSH,ACK,URG/ACK,URG
DROP       udp  --  10.1.1.2             anywhere             udp dpt:snmp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

- Description for the changelog

Translation of ACL Control Plane rules into iptables commands fixed

- A picture of a cute animal (not mandatory but encouraged)

  __________
 / ___  ___ \
/ / @ \/ @ \ \
\ \___/\___/ /\
 \____\/____/||
 /     /\\\\\//
|     |\\\\\\
 \      \\\\\\
   \______/\\\\
    _||_||_

@msftclas
Copy link
Copy Markdown

msftclas commented May 23, 2018
edited
Loading

CLA assistant check
All CLA requirements met.

jleveque
jleveque suggested changes May 31, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@jleveque jleveque left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@denis-maslov: Can you please close this PR and make the same PR against the master branch? Once it is merged into master, we will cherry-pick it into the 201803 branch.

peterbailey-arista pushed a commit to peterbailey-arista/sonic-buildimage that referenced this pull request Nov 3, 2025
@vmittal-msft
Updated headroom pool and pg settings for dis-agg chassis UT2 device (s…
56a24f9 
…onic-net#1738)

<!--
Please make sure you've read and understood our contributing guidelines:
     https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md

** Make sure all your commits include a signature generated with `git
commit -s` **

If this is a bug fix, make sure your description includes "fixes #xxxx",
or
     "closes #xxxx" or "resolves #xxxx"

     Please provide the following information:
-->

#### Why I did it
Updating headroom pool & PG settings for dis-agg UT2 device.

##### Work item tracking
- Microsoft ADO **(34447718)**:

#### How I did it
Updated buffer settings in HWSKU files.

#### How to verify it

<!--
If PR needs to be backported, then the PR must be tested against the
base branch and the earliest backport release branch and provide tested
image version on these two branches. For example, if the PR is requested
for master, 202211 and 202012, then the requester needs to provide test
results on master and 202012.
-->

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106
- [ ] 202111
- [ ] 202205
- [ ] 202211

#### Tested branch (Please provide the tested image version)

<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->

- [ ] <!-- image version 1 -->
- [ ] <!-- image version 2 -->

#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->

<!--
Ensure to add label/tag for the feature raised. example - PR#2174 under
sonic-utilities repo. where, Generic Config and Update feature has been
labelled as GCU.
-->

#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on
https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->

#### A picture of a cute animal (not mandatory but encouraged)
mssonicbld added a commit that referenced this pull request Jan 31, 2026
@mssonicbld
[submodule] Update submodule sonic-sairedis to the latest HEAD automa…
3c3e1af 
…tically (#25244)

#### Why I did it
src/sonic-sairedis
```
* 2457bb8d - (HEAD -> 202511, origin/202511) [Mellanox] Add phcsync activation for mellanox platforms. (#1752) (2 days ago) [mssonicbld]
* bcbf7158 - [202511] Upgrade SAI to v1.17.4 (#1749) (3 days ago) [Vivek]
* 5eec8434 - [syncd] Remove syncd redis objects if using ZMQ notifications (#1738) (6 days ago) [mssonicbld]
* 7770f146 - [vslib] MACsec interface creation command fails on VM/VS with send_sci=false and SCI combination. (#1737) (6 days ago) [mssonicbld]
* 4a62e3d2 - [202511][ci] use correct slave container for each branch (#1746) (6 days ago) [yijingyan2]
* cff5ae14 - Fix sonic-vpp build issue in master (#1745) (7 days ago) [mssonicbld]
```
#### How I did it
#### How to verify it
#### Description for the changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jleveque jleveque jleveque requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@denis-maslov @msftclas @jleveque